1. Introduction
The purpose of the Data Protection Agreement (hereinafter “DPA”) is to govern the use of personal data of the Client, which acts as a controller (hereinafter the “Client”), by Eval&GO, which acts as a Processor (hereinafter the “Processor”) within the framework of the Agreement (hereinafter the “Agreement”).
The DPA is part of the Agreement signed between the Client and the Processor. In the event of any inconsistency between the Agreement and the DPA, the obligations set forth in the DPA shall prevail with respect to the applicable data protection rules.
All data protection terms used in the DPA (e.g. controller, processor, etc.) are defined in Article 4 of the General Data Protection Regulation (“GDPR”).
The Processor is a French company. The standard version of the DPA is therefore the French version. In case of misinterpretation due to translation of the documents, the French version always prevails.
2. Statement
The Processor declares that it complies with all applicable data protection rules that include the GDPR and the Data Protection Act.
Processor declares that it has all sufficient safeguards to meet the requirements of applicable data protection rules and, in particular, to ensure confidentiality and protection of Client data.
The Processor declares that all of its employees who process the Client’s personal data are bound by a confidentiality clause or by any other legal act (e.g. rules of good conduct, information systems charter, etc.) to guarantee the confidentiality of the Client’s personal data.
The Processor declares that it regularly trains and educates its employees on the applicable data protection rules.
3. Instructions
Processor agrees to use Client’s personal data only on documented instructions from Client.
The Client undertakes to inform the Processor of any changes in the instructions that may be carried out regarding the use of its personal data.
Processor shall promptly notify Client if Client’s documented instructions constitute a violation of applicable data protection rules.
4. Compliance by default and by design
Processor shall provide its service “as is”, in compliance with (i) service compliance by design and (ii) service compliance by default.
The Processor provides a service with all functionalities enabling the Client to meet its obligations as a data controller.
Accordingly, Processor shall never be liable for Client’s non-compliant use of the Service with data protection rules.
5. Security
The Processor certifies and undertakes to ensure the security of the Client’s personal data and to implement all technical and organizational measures necessary to prevent any risk of data breach.
6. Breach of data
The Processor undertakes to notify the Client, as soon as possible after becoming aware of it, of any data breach that may affect the Client’s personal data.
The notification shall specify all information necessary for Client to process the data breach described in Article 28 of the GDPR.
In the event of a data breach, Processor agrees to take all necessary steps to remedy, and lower the impact of the breach on Client’s personal data.
Except with the express, prior and written consent of the Client, the Processor is not authorized to make notifications of data breaches to the supervisory authority and to the persons concerned by the processing carried out under the Contract.
7. Help and assistance in matters of security
The Processor shall provide Customer with all necessary and required information on the technical and organizational security measures to be implemented under the Contract to ensure the security of its personal data.
Processor shall provide to Customer, upon written request, all information necessary and required to ensure the completion of an impact analysis (“PIA”).
The Processor shall not be obliged to ensure or audit the Customer’s security or to carry out impact analyses (“PIA”) in the place and on behalf of the Customer. Any additional request to provide information may be refused and, if necessary, an additional service charged.
8. Help and assistance in matters of rights of data subjects
Upon written request, Processor shall provide Customer with all information necessary and required for Customer to fulfill its obligation to respond to requests from data subjects.
Processor shall, upon written request from Customer, perform such technical actions as may be necessary to fulfill Customer’s obligation to respond to requests from affected persons.
However, the Processor is not obliged to manage requests for personal rights in the place and on behalf of the Client. Any additional request to ensure such management may be refused and, possibly, an additional service charged.
9. Sub-processor
Client agrees that Processor may engage Sub-processors solely in connection with the performance of the Contract provided that Processor notifies Client of any changes regarding such Sub-processors so that Client may object thereto.
Customer may issue objections by registered letter with return receipt if (i) the Sub-processor is one of its competitors, (ii) Customer and the Sub-processor are in a dispute or litigation situation, and (iii) the Sub-processor has been the subject of a condemnation by a data protection supervisory authority within one year of its recruitment by the Processor. Each of these situations must be demonstrated.
In the event the objection is sustained, the Processor shall have 6 months from receipt of the objection to modify the Sub-processor or to ensure compliance with the GDPR by such Sub-processor.
Failing this, Customer may terminate the Agreement subject to six (6) months notice, without Customer being entitled to claim compensation of any kind.
In all cases, the Processor agrees to engage only Sub-processors that have the necessary and sufficient guarantees to ensure the security and confidentiality of Customer’s personal data.
As such, the Processor agrees to (i) regularly monitor its Sub-processors and (ii) that the contract with the subsequent Sub-processor used in the service will contain obligations similar to those in the DPA.
In any event, the Processor shall remain liable for the actions of the Sub-processor under the Contract.
10. Fate of personal data
Customer shall promptly notify Processor in writing of its choice (option 1) to return the personal data to Controller and then delete the personal data and all existing copies, or (option 2) to directly delete the personal data and all existing copies, or (option 3) to transfer the personal data to a new provider and then delete the personal data and all existing copies. Unless otherwise provided for in the Agreement, option 3 must be quoted by Processor.
If the Customer does not inform the Processor of its choice, the Processor reserves the right to directly delete the data and all copies (option 2).
The deletion of data is irreversible. The Customer is therefore invited to recover its data before the service is stopped. In case of deletion of the Customer’s data by the Processor, the Customer remains solely responsible for the disappearance of the data and any consequences that may occur.
The Processor shall certify to the Customer, upon written request, that the personal data and all existing copies have been effectively deleted.
11. Audits
The Client has the right to conduct an audit in the form of a written questionnaire once a year to verify compliance with this Agreement. The questionnaire shall have the force of a sworn undertaking binding on the Processor.
The questionnaire may be communicated in any form to the Processor, who undertakes to respond within a maximum of two months of receipt.
Customer also has the right to conduct an on-site audit, at its own expense, once a year only in the event of a data breach or violation of applicable data protection rules and this Agreement, including as established by the written questionnaire.
An on-site audit may be conducted either by Customer or by an independent third party designated by Customer and must be notified to Processor in writing at least thirty (30) days prior to conducting the audit.
Processor has the right to refuse the selection of the independent third party if the independent third party is (i) a competitor or (ii) in pre-litigation or litigation with Processor. In such case, Client agrees to select a new independent third party to perform the audit.
Processor may refuse access to certain areas for reasons of confidentiality or security. In this case, Processor will audit these areas at its own expense and report the results to Customer.
In the event of any deviation found during the audit, Processor agrees to implement, without delay, the measures necessary to comply with this Agreement.
12. Transfers of data outside the European Union
The Processor undertakes to use its best endeavours not to transfer the Customer’s personal data outside the European Union or to recruit a Sub-processor located outside the European Union.
Nevertheless, in the event that such transfers prove necessary within the framework of the Contract, the Processor undertakes to implement all the mechanisms required to supervise such transfers, such as, in particular, entering into binding corporate rules (“BCR”) or standard contractual clauses (“SCC”) adopted by the European Commission.
13. Cooperation with the supervisory authority
Where this concerns processing carried out within the framework of the Contract, the Processor undertakes to provide, on request, all the information necessary for the Client to cooperate with the relevant control authority.
14. Contact
Customer and Processor shall each designate a interlocutor who shall be in charge of this DPA and who shall be the recipient of the various notifications and communications to be made under the DPA.
The Processor informs the Client that it has appointed Dipeeo as its Data Protection Officer, who can be contacted at the following address
Email address: rgpd@evalandgo.com
Postal address: Dipeeo SAS, 104 avenue de la Résistance, 93100 Montreuil
Phone number : +33 09 86 23 21 29
15. Review
Customer reserves the right to modify this Agreement in the event of changes in applicable data protection regulations that would alter any of its provisions.
16. Applicable law
Notwithstanding any provision to the contrary in the Contract, this Agreement shall be governed by French law. Any dispute relating to the performance of this Agreement shall be subject to the exclusive jurisdiction of the courts of the jurisdiction of the Court of Appeal of the place of residence of the Processor.
